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“VIRUS” From Websters 9th 


From Latin: slimy liquid, poison, stench. 

Causative agent of an infectious disease. 

Complex molecules capable of growth and 
multiplication only in living cells. 
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What is BRL? 


• U. S. Army Ballistic Research Laboratory 

• One of America's foremost research and 
development labs. 

• 700 Scientists & Engineers pursuing in- 
house research programs 

• 5 Scientific Divisions 

• 3 Support Divisions 

• Networked Computers are all pervasive: 
throughout research and administrative 
staffs 

• ^ 200 systems 

• UNIX Cray X-MP/48 and Cray-2 
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History, Part 1 


o 1800 PST Wed: virus seen at Rand Corp. 

• 2345 EST Wed: virus enters VGR.BRL.MIL. 

• 0300 Thu: VGR was seen attacking other machines. 

• 1000 Thu: BRL disconnected from MILNET, 
DISNET. NSI; VGR totally isolated. 

• 1200 Thu: BRLXET checking complete: no virus on 
inside. 

• 1600 Thu: Coordinating w/other researchers. DCA 
orders MILNET hosts shutdown, blows MIL/AREA 
gws. 

• 2200 Thu: Virus, was Lead story on CNN 

• 2300 Thu: VGR "Test Cell" prepared, connected to 
MILNET. 
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History, Part 2 


• 0645 Fri: MIL/ARPA gateways restored 

• 0030 Sat: Virus trapped in "Test Cell", UCB src rcvd. 

• 0630 Sat: BRL-wide power outage (sigh) 

• 0600 Mon: 2 Additional attack modules rev-eng. 

• 1200 Mon: BRL 'Vulnerability Sweep" programs 
operating 

• 1600 Mon: Patched servers installed 

• ''1200 Tue: reattach BRL to network 
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Who BRL Worked With Through the Night 


• Tim Smith, US Naval Academy 
® Cliff Stoll, Harvard 

• Keith Bostic, Berkeley 

• Rick Adams. Seismo 

a Jenny, CONUS MIL NET Monitoring 
e Bob Fields, CONUS MILNET Monitoring 

• CPT Bill Arbaugh. Pentagon 

• Peter Yee, NASA/Berkeley 
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The BRL Approach 


• Use instrumented “Test Cell” 

• Analyze attack modes 

• Coordinate community efforts via telephone 

• Assist with reverse engineering 

• Relay info on attack modes (incl flukes]; 

— 2nd priv inetd (3 sites) 

— Ingres lock daemon 

— System accounting 
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The Attack Modes 


iSxiama. 

a Sendmail SMTP Server 

• Finger Daemon 
Tnternal 

G Password attack [word list] 

• /.rhosts 

• /etc/hosts.equiv 

• .forward 
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After Penetration 


• “Gorch Attack” —sends 11.c sources, 
compiles and run. 

• “LI, Loading” — sets Sun and VAX obj 
from network. 

• “LI, Shell” —Links 2nd stage: “P” 

• “P Attack” — Crack & Propagate 
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Network Sweep Tool 


■t" Finger Daemon buffer over-run 

— FTP bugs 

— TFTP bugs 

— passwd/rsh 

T SMTP/Sendmail [Wiz, Debug] 
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Fixes 


• Improved fingerd, with logging 

• FTPD fixes 

• TFTPD fixes 

e Code installed on V'AXen. Suns: Gouids 

• In progress on Grays, Alliant, Convex: SGI 

• BRL has source code licenses. 
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Books, News 


“Adolescense of Pi” 
‘'Sole on Saphire” 


Press Coverage was remarkable good. My 
congratulations Id the Public Relations folks. 

Mv fear: these headlines: 

“Computer Virus Spreads to Humans: 96 
Left Dead...” 



BRL Status 


• No information lost 

• Minor disruption of work schedules due to 
network disconnection 

• BRL Computers now secure against this 
threat 

• Anti-Viral Team used ~500 man-hours 

• Incidental people used "1000 man-hours 
— Copy of virus still captive in test cell 
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Who is This MUUSS Fellow, Anyway? 

« 

Michael Muuss 

Leader, Adv. Computer Systems Team 
Ballistic Research Laboratory 
APG, MD 21005-5066, U.S.A. 

(301)-278-6678 
AY 2 8 3- 6678 

ArpaNet: <Mike @ BRL.MIL ^ 
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TheBRL ^\ 7iTiT=s Bnsters;” 


• Mike Muuss 

• Phil Dykstra 

• Doug Gwyn 

• Terry Slattery 

• Bob Reschlv 

%/ 

• Sue ^ /luiiss 

• Lee Butler [NASA STScI] 
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SECURITY 


This document is from the holdings of: 

The National Security Archive 

Suite 701, Gelman Library, The George Washington University 
2130 H Street, NW, Washington, D.C., 20037 
Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu 


